AWS IAM high security documentation change
Summary
Updated CloudTrail logging behavior to specify that `secretAccessKey` is excluded from `responseElements` in STS AssumeRole* API logs
Security assessment
The change explicitly redacts `secretAccessKey` from CloudTrail logs for STS AssumeRole APIs. This prevents sensitive credential exposure in logs, directly addressing a security risk of potential credential leakage. The modification provides concrete evidence of security hardening.
Diff
diff --git a/IAM/latest/UserGuide/cloudtrail-integration.md b/IAM/latest/UserGuide/cloudtrail-integration.md index fc05e18ff..4c1eac107 100644 --- a//IAM/latest/UserGuide/cloudtrail-integration.md +++ b//IAM/latest/UserGuide/cloudtrail-integration.md @@ -110 +110 @@ Externally authenticated user | AssumeRoleWithWebIdentity | n/a | OIDC/Web user -CloudTrail considers an action read-only if it does not have any mutating effect on a resource. When logging a read-only event, CloudTrail redacts the `responseElements` information in the log. When CloudTrail logs an event that is not read-only, the full `responseElements` is shown in the log entry. However, for the AWS STS APIs `AssumeRole`, `AssumeRoleWithSAML`, and `AssumeRoleWithWebIdentity`, even though they are logged as read-only, CloudTrail will include the full `responseElements` in the log for these APIs. +CloudTrail considers an action read-only if it does not have any mutating effect on a resource. When logging a read-only event, CloudTrail redacts the `responseElements` information in the log. When CloudTrail logs an event that is not read-only, the full `responseElements` is shown in the log entry. For the AWS STS APIs `AssumeRole`, `AssumeRoleWithSAML`, and `AssumeRoleWithWebIdentity`, even though they are logged as read-only, CloudTrail will include the full `responseElements` except `secretAccessKey` in the log for these APIs.